-1

I have a data-driven website where the user can enter some strings on one page that goes into a database. I am using LINQ for all inserts and updates, so I think that part is safe. The entered-data is then displayed back to users on another page.

When outputting the data, I am not yet using LINQ (not sure if I need to), and I have some "SELECT" statements, similar to this:

SELECT Name, Description FROM Table WHERE ID=something

My question is: If the "Name" or "Description" data in the above statement contain malicious code, is SQL injection possible in that context?

All my SELECT statements with a "WHERE" clause are definitely only comparing numbers, so I think that part is safe. Cheers.

user3173098
  • 89
  • 2
  • 12

1 Answers1

0

As long as you aren't creating the SQL statements themselves from the user input, you are ok.

For example if you did the following:

var sqlStatement = "SELECT " + Name + "FROM Table WHERE ID=something";

And used that, it would definitely introduce an opportunity for SQL injection attacks.

kah608
  • 545
  • 2
  • 10
  • Yeah, well like I said, user input is being used, but not like you suggested where string concatenation is being used... So I should be safe, right? – user3173098 Apr 04 '16 at 22:47
  • Correct. If you absolutely need to use the user input for your SQL then use a SQLCommand and add SQLParameters so you are not using the strings to build your SQL. See this SO post http://stackoverflow.com/questions/910465/avoiding-sql-injection-without-parameters – kah608 Apr 05 '16 at 13:38
  • 1
    Agree no direct risk but if another application uses the query results as input to another query without proper escaping or parameterization, you've essentially become a carrier of the injection even though you're not directly affected. Always validate and/or sanitize input before writing to the DB. Also, you're still open to general code injection attacks. In this case, it's ripe for persistent cross site scripting attacks which could result in other properties, including your database, being breached. – SQLmojoe Apr 05 '16 at 18:00